Postfix - blocking by From rather than senderHow to prevent remote hosts from delivering mail to Postfix with spoofed From header?cyrus xfermailbox has made my mailbox disapearForwarding mail to different mail system in PostfixPostfix put incoming mails dependent on sender domain to a local catchall mailboxmap users with a mail addressPostfix virtual domains and Cyrus for imapPostfix: how to redirect a single email address depending on the senderZimbra (postfix) receives email from “my domain” but from external unknown serverPostfix not rewriting senderPostfix forwarding - SPF issues - Sender rewritePostfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender “<>”
Is there an evolutionary advantage to having two heads?
Is American Express widely accepted in France?
Why is Colorado so different politically from nearby states?
What is a simple, physical situation where complex numbers emerge naturally?
How should I push back against my job assigning "homework"?
Explain Ant-Man's "not it" scene from Avengers: Endgame
The term for the person/group a political party aligns themselves with to appear concerned about the general public
Singlequote and backslash
What is the most important characteristic of New Weird as a genre?
Why is there a need to modify system call tables in Linux?
How much current can Baofeng UV-5R provide on +V pin?
How can a single Member of the House block a Congressional bill?
Is it possible to kill all life on Earth?
Relativistic resistance transformation
If Sweden was to magically float away, at what altitude would it be visible from the southern hemisphere?
How do I get a list of only the files (not the directories) from a package?
Is there any Biblical Basis for 400 years of silence between Old and New Testament?
How can I offer a test ride while selling a bike?
The most awesome army: 80 men left and 81 returned. Is it true?
Why does the UK have more political parties than the US?
What are the problems in teaching guitar via Skype?
Scala list with same adjacent values
Creating Fictional Slavic Place Names
What caused the tendency for conservatives to not support climate change regulations?
Postfix - blocking by From rather than sender
How to prevent remote hosts from delivering mail to Postfix with spoofed From header?cyrus xfermailbox has made my mailbox disapearForwarding mail to different mail system in PostfixPostfix put incoming mails dependent on sender domain to a local catchall mailboxmap users with a mail addressPostfix virtual domains and Cyrus for imapPostfix: how to redirect a single email address depending on the senderZimbra (postfix) receives email from “my domain” but from external unknown serverPostfix not rewriting senderPostfix forwarding - SPF issues - Sender rewritePostfix: Managing Subdomain DMARC, DKIM, and SPF when bounce emails come from the null sender “<>”
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I have a ton of incoming spam that masquerades as being sent by me, but has a sender at some arbitrary spammer domain. e.g.
Return-Path: <admin@aiuw.com>
... (stuff elided, etc.)
Received: from [static-93.0.72.177-ttvi.com.br] (unknown [177.72.0.158])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: admin@aiuw.com)
by Server22.lejj.com (Postfix) with ESMTPSA id B527943151
...
To: iain@example.com
From: <iain@example.com>
The sender to postfix is admin@aiuw.com, but by the time it's handed off to Cyrus-IMAP, it appears to be sent by me, and that means it's deposited into my recognized sender inbox.
I'd like to block all incoming mail from my domain (outgoing uses TLS + SMTP AUTH, and bypasses the checks, so I'm not worried about blocking myself), but since the sender address is not from my domain, I can't do that using sender rejection rules or SPF - these act on aiuw.com, not example.com.
I'm guessing there's no way to make Postfix handle the From line as part of the envelope information. Is that right, or am I missing something?
If not, what about a filter between Postfix and Cyrus-IMAP that could capture both the sender and From addresses and reject mismatches? Or, finally, a way of checking the sender address in a Sieve script, though I think that would get ugly quickly.
Apologies if this is a duplicate. I found several hits, but everything I saw was based on envelope sender, not From.
postfix cyrus sieve
asked Jan 8 at 23:24
Iain BrownIain Brown
313
add a comment |
I have a ton of incoming spam that masquerades as being sent by me, but has a sender at some arbitrary spammer domain. e.g.
Return-Path: <admin@aiuw.com>
... (stuff elided, etc.)
Received: from [static-93.0.72.177-ttvi.com.br] (unknown [177.72.0.158])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: admin@aiuw.com)
by Server22.lejj.com (Postfix) with ESMTPSA id B527943151
...
To: iain@example.com
From: <iain@example.com>
The sender to postfix is admin@aiuw.com, but by the time it's handed off to Cyrus-IMAP, it appears to be sent by me, and that means it's deposited into my recognized sender inbox.
I'd like to block all incoming mail from my domain (outgoing uses TLS + SMTP AUTH, and bypasses the checks, so I'm not worried about blocking myself), but since the sender address is not from my domain, I can't do that using sender rejection rules or SPF - these act on aiuw.com, not example.com.
I'm guessing there's no way to make Postfix handle the From line as part of the envelope information. Is that right, or am I missing something?
If not, what about a filter between Postfix and Cyrus-IMAP that could capture both the sender and From addresses and reject mismatches? Or, finally, a way of checking the sender address in a Sieve script, though I think that would get ugly quickly.
Apologies if this is a duplicate. I found several hits, but everything I saw was based on envelope sender, not From.
postfix cyrus sieve
asked Jan 8 at 23:24
Iain BrownIain Brown
313
add a comment |
I have a ton of incoming spam that masquerades as being sent by me, but has a sender at some arbitrary spammer domain. e.g.
Return-Path: <admin@aiuw.com>
... (stuff elided, etc.)
Received: from [static-93.0.72.177-ttvi.com.br] (unknown [177.72.0.158])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: admin@aiuw.com)
by Server22.lejj.com (Postfix) with ESMTPSA id B527943151
...
To: iain@example.com
From: <iain@example.com>
The sender to postfix is admin@aiuw.com, but by the time it's handed off to Cyrus-IMAP, it appears to be sent by me, and that means it's deposited into my recognized sender inbox.
I'd like to block all incoming mail from my domain (outgoing uses TLS + SMTP AUTH, and bypasses the checks, so I'm not worried about blocking myself), but since the sender address is not from my domain, I can't do that using sender rejection rules or SPF - these act on aiuw.com, not example.com.
I'm guessing there's no way to make Postfix handle the From line as part of the envelope information. Is that right, or am I missing something?
If not, what about a filter between Postfix and Cyrus-IMAP that could capture both the sender and From addresses and reject mismatches? Or, finally, a way of checking the sender address in a Sieve script, though I think that would get ugly quickly.
Apologies if this is a duplicate. I found several hits, but everything I saw was based on envelope sender, not From.
postfix cyrus sieve
asked Jan 8 at 23:24
Iain BrownIain Brown
313
I have a ton of incoming spam that masquerades as being sent by me, but has a sender at some arbitrary spammer domain. e.g.
Return-Path: <admin@aiuw.com>
... (stuff elided, etc.)
Received: from [static-93.0.72.177-ttvi.com.br] (unknown [177.72.0.158])
(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
(No client certificate requested)
(Authenticated sender: admin@aiuw.com)
by Server22.lejj.com (Postfix) with ESMTPSA id B527943151
...
To: iain@example.com
From: <iain@example.com>
The sender to postfix is admin@aiuw.com, but by the time it's handed off to Cyrus-IMAP, it appears to be sent by me, and that means it's deposited into my recognized sender inbox.
I'd like to block all incoming mail from my domain (outgoing uses TLS + SMTP AUTH, and bypasses the checks, so I'm not worried about blocking myself), but since the sender address is not from my domain, I can't do that using sender rejection rules or SPF - these act on aiuw.com, not example.com.
I'm guessing there's no way to make Postfix handle the From line as part of the envelope information. Is that right, or am I missing something?
If not, what about a filter between Postfix and Cyrus-IMAP that could capture both the sender and From addresses and reject mismatches? Or, finally, a way of checking the sender address in a Sieve script, though I think that would get ugly quickly.
Apologies if this is a duplicate. I found several hits, but everything I saw was based on envelope sender, not From.
postfix cyrus sieve
postfix cyrus sieve
asked Jan 8 at 23:24
Iain BrownIain Brown
313
asked Jan 8 at 23:24
Iain BrownIain Brown
313
asked Jan 8 at 23:24
Iain BrownIain Brown
313
asked Jan 8 at 23:24
Iain BrownIain Brown
313
asked Jan 8 at 23:24
Iain BrownIain Brown
313
313
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
I've been doing some research on this myself, and I found some ways to attack this from the "pre-inbox" angle.
If your receiving SMTP server is the same servers users submit their outgoing mail to, then first, we've got the header_checks postfix config. If we set it to pcre:/etc/postfix/header_checks, It'll check each header line against the regexps in that file. Here's what I in that file:
/^(From|Sender|Reply-To): .*@domain1.com/ REJECT stop impersonating me
/^(From|Sender|Reply-To): .*@domain2.com/ REJECT stop impersonating me
Since my SMTP server receives mail for domain1.com and domain2.com, it'll reject all incoming mail with those domains. Though you only want to do this for the SMTP port, (25) not the submission port (587) otherwise it'll prevent legitimate use of your domain. To do this, edit your master.cf, and add -o header_checks=regexp:/etc/postfix/header_checks under the line which starts with smtp. You can also specify a different header_checks file under your submission port settings to enforce different header rules for authenticated users.
The main issue with header_checks is that it only checks one header at a time. Another solution is to use content_filter, which looks at the message as a whole. I first discovered this while attempting to mitigate against From: header fraud for all incoming mail, which lead me to this neat bash script. Though you can use this as a starting point to create any filters of your choosing, as being able to intelligently examine the entire e-mail before delivery (assuming its contents aren't encrypted) is a very powerful thing.
Hope my information helps, perhaps together we can create the perfect fraud-rejection tool :)
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
add a comment |
I think I can finally answer my own question. I still wish I could capture both the envelope sender and message sender to reject the message in the SMTP transaction, and if anyone can suggest a better fix I'd appreciate it.
However, both envelope and message senders are available to sieve, so there's a way to drop the incoming spam:
require ["envelope", "fileinto"];
if address :domain "From" "example.org"
if not envelope :domain "From" "example.org"
fileinto "Trash";
stop;
So if email claims to be from my domain, but the envelope address is not my domain, it's dropped.
Documentation on envelope I used: https://support.tigertech.net/sieve
answered Jan 30 at 17:38
Iain BrownIain Brown
313
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948161%2fpostfix-blocking-by-from-rather-than-sender%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
I've been doing some research on this myself, and I found some ways to attack this from the "pre-inbox" angle.
If your receiving SMTP server is the same servers users submit their outgoing mail to, then first, we've got the header_checks postfix config. If we set it to pcre:/etc/postfix/header_checks, It'll check each header line against the regexps in that file. Here's what I in that file:
/^(From|Sender|Reply-To): .*@domain1.com/ REJECT stop impersonating me
/^(From|Sender|Reply-To): .*@domain2.com/ REJECT stop impersonating me
Since my SMTP server receives mail for domain1.com and domain2.com, it'll reject all incoming mail with those domains. Though you only want to do this for the SMTP port, (25) not the submission port (587) otherwise it'll prevent legitimate use of your domain. To do this, edit your master.cf, and add -o header_checks=regexp:/etc/postfix/header_checks under the line which starts with smtp. You can also specify a different header_checks file under your submission port settings to enforce different header rules for authenticated users.
The main issue with header_checks is that it only checks one header at a time. Another solution is to use content_filter, which looks at the message as a whole. I first discovered this while attempting to mitigate against From: header fraud for all incoming mail, which lead me to this neat bash script. Though you can use this as a starting point to create any filters of your choosing, as being able to intelligently examine the entire e-mail before delivery (assuming its contents aren't encrypted) is a very powerful thing.
Hope my information helps, perhaps together we can create the perfect fraud-rejection tool :)
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
add a comment |
I've been doing some research on this myself, and I found some ways to attack this from the "pre-inbox" angle.
If your receiving SMTP server is the same servers users submit their outgoing mail to, then first, we've got the header_checks postfix config. If we set it to pcre:/etc/postfix/header_checks, It'll check each header line against the regexps in that file. Here's what I in that file:
/^(From|Sender|Reply-To): .*@domain1.com/ REJECT stop impersonating me
/^(From|Sender|Reply-To): .*@domain2.com/ REJECT stop impersonating me
Since my SMTP server receives mail for domain1.com and domain2.com, it'll reject all incoming mail with those domains. Though you only want to do this for the SMTP port, (25) not the submission port (587) otherwise it'll prevent legitimate use of your domain. To do this, edit your master.cf, and add -o header_checks=regexp:/etc/postfix/header_checks under the line which starts with smtp. You can also specify a different header_checks file under your submission port settings to enforce different header rules for authenticated users.
The main issue with header_checks is that it only checks one header at a time. Another solution is to use content_filter, which looks at the message as a whole. I first discovered this while attempting to mitigate against From: header fraud for all incoming mail, which lead me to this neat bash script. Though you can use this as a starting point to create any filters of your choosing, as being able to intelligently examine the entire e-mail before delivery (assuming its contents aren't encrypted) is a very powerful thing.
Hope my information helps, perhaps together we can create the perfect fraud-rejection tool :)
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
add a comment |
I've been doing some research on this myself, and I found some ways to attack this from the "pre-inbox" angle.
If your receiving SMTP server is the same servers users submit their outgoing mail to, then first, we've got the header_checks postfix config. If we set it to pcre:/etc/postfix/header_checks, It'll check each header line against the regexps in that file. Here's what I in that file:
/^(From|Sender|Reply-To): .*@domain1.com/ REJECT stop impersonating me
/^(From|Sender|Reply-To): .*@domain2.com/ REJECT stop impersonating me
Since my SMTP server receives mail for domain1.com and domain2.com, it'll reject all incoming mail with those domains. Though you only want to do this for the SMTP port, (25) not the submission port (587) otherwise it'll prevent legitimate use of your domain. To do this, edit your master.cf, and add -o header_checks=regexp:/etc/postfix/header_checks under the line which starts with smtp. You can also specify a different header_checks file under your submission port settings to enforce different header rules for authenticated users.
The main issue with header_checks is that it only checks one header at a time. Another solution is to use content_filter, which looks at the message as a whole. I first discovered this while attempting to mitigate against From: header fraud for all incoming mail, which lead me to this neat bash script. Though you can use this as a starting point to create any filters of your choosing, as being able to intelligently examine the entire e-mail before delivery (assuming its contents aren't encrypted) is a very powerful thing.
Hope my information helps, perhaps together we can create the perfect fraud-rejection tool :)
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
I've been doing some research on this myself, and I found some ways to attack this from the "pre-inbox" angle.
If your receiving SMTP server is the same servers users submit their outgoing mail to, then first, we've got the header_checks postfix config. If we set it to pcre:/etc/postfix/header_checks, It'll check each header line against the regexps in that file. Here's what I in that file:
/^(From|Sender|Reply-To): .*@domain1.com/ REJECT stop impersonating me
/^(From|Sender|Reply-To): .*@domain2.com/ REJECT stop impersonating me
Since my SMTP server receives mail for domain1.com and domain2.com, it'll reject all incoming mail with those domains. Though you only want to do this for the SMTP port, (25) not the submission port (587) otherwise it'll prevent legitimate use of your domain. To do this, edit your master.cf, and add -o header_checks=regexp:/etc/postfix/header_checks under the line which starts with smtp. You can also specify a different header_checks file under your submission port settings to enforce different header rules for authenticated users.
The main issue with header_checks is that it only checks one header at a time. Another solution is to use content_filter, which looks at the message as a whole. I first discovered this while attempting to mitigate against From: header fraud for all incoming mail, which lead me to this neat bash script. Though you can use this as a starting point to create any filters of your choosing, as being able to intelligently examine the entire e-mail before delivery (assuming its contents aren't encrypted) is a very powerful thing.
Hope my information helps, perhaps together we can create the perfect fraud-rejection tool :)
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
edited May 20 at 18:36
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
answered May 16 at 23:55
ARitz CrackerARitz Cracker
214
214
add a comment |
add a comment |
I think I can finally answer my own question. I still wish I could capture both the envelope sender and message sender to reject the message in the SMTP transaction, and if anyone can suggest a better fix I'd appreciate it.
However, both envelope and message senders are available to sieve, so there's a way to drop the incoming spam:
require ["envelope", "fileinto"];
if address :domain "From" "example.org"
if not envelope :domain "From" "example.org"
fileinto "Trash";
stop;
So if email claims to be from my domain, but the envelope address is not my domain, it's dropped.
Documentation on envelope I used: https://support.tigertech.net/sieve
answered Jan 30 at 17:38
Iain BrownIain Brown
313
add a comment |
I think I can finally answer my own question. I still wish I could capture both the envelope sender and message sender to reject the message in the SMTP transaction, and if anyone can suggest a better fix I'd appreciate it.
However, both envelope and message senders are available to sieve, so there's a way to drop the incoming spam:
require ["envelope", "fileinto"];
if address :domain "From" "example.org"
if not envelope :domain "From" "example.org"
fileinto "Trash";
stop;
So if email claims to be from my domain, but the envelope address is not my domain, it's dropped.
Documentation on envelope I used: https://support.tigertech.net/sieve
answered Jan 30 at 17:38
Iain BrownIain Brown
313
add a comment |
I think I can finally answer my own question. I still wish I could capture both the envelope sender and message sender to reject the message in the SMTP transaction, and if anyone can suggest a better fix I'd appreciate it.
However, both envelope and message senders are available to sieve, so there's a way to drop the incoming spam:
require ["envelope", "fileinto"];
if address :domain "From" "example.org"
if not envelope :domain "From" "example.org"
fileinto "Trash";
stop;
So if email claims to be from my domain, but the envelope address is not my domain, it's dropped.
Documentation on envelope I used: https://support.tigertech.net/sieve
answered Jan 30 at 17:38
Iain BrownIain Brown
313
I think I can finally answer my own question. I still wish I could capture both the envelope sender and message sender to reject the message in the SMTP transaction, and if anyone can suggest a better fix I'd appreciate it.
However, both envelope and message senders are available to sieve, so there's a way to drop the incoming spam:
require ["envelope", "fileinto"];
if address :domain "From" "example.org"
if not envelope :domain "From" "example.org"
fileinto "Trash";
stop;
So if email claims to be from my domain, but the envelope address is not my domain, it's dropped.
Documentation on envelope I used: https://support.tigertech.net/sieve
answered Jan 30 at 17:38
Iain BrownIain Brown
313
answered Jan 30 at 17:38
Iain BrownIain Brown
313
answered Jan 30 at 17:38
Iain BrownIain Brown
313
answered Jan 30 at 17:38
Iain BrownIain Brown
313
313
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f948161%2fpostfix-blocking-by-from-rather-than-sender%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
